wildfly oidc client fails with JoseException while validating AccessToken

878 views
Skip to first unread message

Ram Ct

unread,
Jul 5, 2022, 6:58:03 PM7/5/22
to WildFly
Hi

I am using the Authorization code flow for OIDC authentication with Wildfly 26.1.1, In my earlier post about issuer validation, wildfly not using the issuer populated during discovery, ELY-2357 has been created to track the issue.

I fix the code to use the issuer that obtained from the discovery response. 

It proceeded further but failed while obtaining jwtClaims for access token.

File: TokenValidator.java
method: parseAndVerifyToken
            JwtClaims jwtClaims = new JwtConsumerBuilder().setSkipSignatureVerification().setSkipAllValidators().build().processToClaims(accessToken);
            log.info("parseAndVerifyToken: jwtClaims " + jwtClaims);
            return new VerifiedTokens(new IDToken(idJwtClaims), new AccessToken(jwtClaims));

What are the possible claims for Access tokens? OP is returning a simple string in my case. Is this keycloak server specific?

The open id spec doesn't talk about the format of access token.

{
   "access_token": "vwOFixFz18MrgoSiwjvL",
   "refresh_token": "zaYSjDyGsRKngcziIRZmik2usCBb5Q9Y4NJIGeyi",
   "scope": "openid",
   "id_token": "<id-token>",
   "token_type": "bearer",
   "expires_in": 3599
}

I added a few print statements and printStackTrace in the parseAndVerify method that may reflect in the below log.

Please assist.

WildFly Log:

23:14:24,197 DEBUG [org.wildfly.security.http.oidc] (default task-1) Public keys successfully retrieved for client MyApp_NONPROD. New kids: [H4656ajgZsxbODPgazEpdktiJjnVsWP2AOHHkSC_Pu0, YTb54m5rvSddCOToNWBLbKZIS6aKszLp-kxgBSaYkVE, fnRTms8KHiVqcMH2IM2F_Pbe6hyoGSYrOnaam8YQ7vs, XpH2AwaJxKIxrTeR_TVLxUYbcoTO6FB2bchnF0QYDUE, Q0ig6URMeMsmXgWNXolEtNhPlmK9Jtslf4k0pEPHAWE, UidMV85N7jtJ23p_9wjAQPdxiYs76IclqG-0QwGC_hQ]
23:14:24,198 INFO  [org.wildfly.security.http.oidc] (default task-1) parseAndVerifyToken: call registerValidator
23:14:24,202 DEBUG [org.jose4j.jwa.AlgorithmFactoryFactory] (default task-1) Initializing jose4j (running with Java 11.0.14 from Oracle Corporation at C:\Program Files\Java\jdk-11.0.14 with [SUN version 11, SunRsaSign version 11, SunEC version 11, SunJSSE version 11, SunJCE version 11, SunJGSS version 11, SunSASL version 11, XMLDSig version 11, SunPCSC version 11, JdkLDAP version 11, JdkSASL version 11, SunMSCAPI version 11, SunPKCS11 version 11, WildFlyElytronDigestProvider version 1.0, WildFlyElytronHttpBasicProvider version 1.0, WildFlyElytronHttpBearerProvider version 1.0, WildFlyElytronHttpClientCertProvider version 1.0, WildFlyElytronHttpDigestProvider version 1.0, WildFlyElytronHttpFormProvider version 1.0, WildFlyElytronHttpSpnegoProvider version 1.0, WildFlyElytron version 1.0, WildFlyElytronClientDefaultSSLContextProvider version 1.0, WildFlyElytronKeyProvider version 1.0, WildFlyElytronPasswordProvider version 1.0, WildFlyElytronCredentialStoreProvider version 1.0, WildFlyElytronHttpExternalProvider version 1.0, WildFlyElytronKeyStoreProvider version 1.0, WildFlyElytronSaslAnonymousProvider version 1.0, WildFlyElytronSaslDigestProvider version 1.0, WildFlyElytronSaslEntityProvider version 1.0, WildFlyElytronSaslExternalProvider version 1.0, WildFlyElytronSaslGs2Provider version 1.0, WildFlyElytronSaslGssapiProvider version 1.0, WildFlyElytronSaslLocalUserProvider version 1.0, WildFlyElytronSaslOAuth2Provider version 1.0, WildFlyElytronSaslOTPProvider version 1.0, WildFlyElytronSaslPlainProvider version 1.0, WildFlyElytronSaslScramProvider version 1.0, openssl version 1.0, TLSP version 1.0, ApacheXMLDSig version 2.23] security providers installed)...
23:14:24,204 DEBUG [org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (default task-1) org.jose4j.jws.UnsecuredNoneAlgorithm(none|null) registered for alg algorithm none
23:14:24,205 DEBUG [org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (default task-1) org.jose4j.jws.HmacUsingShaAlgorithm$HmacSha256(HS256|HmacSHA256) registered for alg algorithm HS256
23:14:24,206 DEBUG [org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (default task-1) org.jose4j.jws.HmacUsingShaAlgorithm$HmacSha384(HS384|HmacSHA384) registered for alg algorithm HS384
23:14:24,207 DEBUG [org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (default task-1) org.jose4j.jws.HmacUsingShaAlgorithm$HmacSha512(HS512|HmacSHA512) registered for alg algorithm HS512
23:14:24,209 DEBUG [org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (default task-1) org.jose4j.jws.EcdsaUsingShaAlgorithm$EcdsaP256UsingSha256(ES256|SHA256withECDSA) registered for alg algorithm ES256
23:14:24,210 DEBUG [org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (default task-1) org.jose4j.jws.EcdsaUsingShaAlgorithm$EcdsaP384UsingSha384(ES384|SHA384withECDSA) registered for alg algorithm ES384
23:14:24,212 DEBUG [org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (default task-1) org.jose4j.jws.EcdsaUsingShaAlgorithm$EcdsaP521UsingSha512(ES512|SHA512withECDSA) registered for alg algorithm ES512
23:14:24,213 DEBUG [org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (default task-1) org.jose4j.jws.RsaUsingShaAlgorithm$RsaSha256(RS256|SHA256withRSA) registered for alg algorithm RS256
23:14:24,214 DEBUG [org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (default task-1) org.jose4j.jws.RsaUsingShaAlgorithm$RsaSha384(RS384|SHA384withRSA) registered for alg algorithm RS384
23:14:24,214 DEBUG [org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (default task-1) org.jose4j.jws.RsaUsingShaAlgorithm$RsaSha512(RS512|SHA512withRSA) registered for alg algorithm RS512
23:14:24,216 DEBUG [org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (default task-1) org.jose4j.jws.RsaUsingShaAlgorithm$RsaPssSha256(PS256|RSASSA-PSS) registered for alg algorithm PS256
23:14:24,218 DEBUG [org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (default task-1) org.jose4j.jws.RsaUsingShaAlgorithm$RsaPssSha384(PS384|RSASSA-PSS) registered for alg algorithm PS384
23:14:24,219 DEBUG [org.jose4j.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (default task-1) org.jose4j.jws.RsaUsingShaAlgorithm$RsaPssSha512(PS512|RSASSA-PSS) registered for alg algorithm PS512
23:14:24,219 DEBUG [org.jose4j.jwa.AlgorithmFactoryFactory] (default task-1) JWS signature algorithms: [none, HS256, HS384, HS512, ES256, ES384, ES512, RS256, RS384, RS512, PS256, PS384, PS512]
23:14:24,221 DEBUG [org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm] (default task-1) org.jose4j.jwe.RsaKeyManagementAlgorithm$Rsa1_5(RSA1_5|RSA/ECB/PKCS1Padding) registered for alg algorithm RSA1_5
23:14:24,222 DEBUG [org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm] (default task-1) org.jose4j.jwe.RsaKeyManagementAlgorithm$RsaOaep(RSA-OAEP|RSA/ECB/OAEPWithSHA-1AndMGF1Padding) registered for alg algorithm RSA-OAEP
23:14:24,230 DEBUG [org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm] (default task-1) org.jose4j.jwe.RsaKeyManagementAlgorithm$RsaOaep256(RSA-OAEP-256|RSA/ECB/OAEPWithSHA-256AndMGF1Padding) registered for alg algorithm RSA-OAEP-256
23:14:24,231 DEBUG [org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm] (default task-1) org.jose4j.jwe.DirectKeyManagementAlgorithm(dir|null) registered for alg algorithm dir
23:14:24,232 DEBUG [org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm] (default task-1) org.jose4j.jwe.AesKeyWrapManagementAlgorithm$Aes128(A128KW|AESWrap) registered for alg algorithm A128KW
23:14:24,232 DEBUG [org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm] (default task-1) org.jose4j.jwe.AesKeyWrapManagementAlgorithm$Aes192(A192KW|AESWrap) registered for alg algorithm A192KW
23:14:24,233 DEBUG [org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm] (default task-1) org.jose4j.jwe.AesKeyWrapManagementAlgorithm$Aes256(A256KW|AESWrap) registered for alg algorithm A256KW
23:14:24,237 DEBUG [org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm] (default task-1) org.jose4j.jwe.EcdhKeyAgreementAlgorithm(ECDH-ES|ECDH) registered for alg algorithm ECDH-ES
23:14:24,240 DEBUG [org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm] (default task-1) org.jose4j.jwe.EcdhKeyAgreementWithAesKeyWrapAlgorithm$EcdhKeyAgreementWithAes128KeyWrapAlgorithm(ECDH-ES+A128KW|N/A) registered for alg algorithm ECDH-ES+A128KW
23:14:24,242 DEBUG [org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm] (default task-1) org.jose4j.jwe.EcdhKeyAgreementWithAesKeyWrapAlgorithm$EcdhKeyAgreementWithAes192KeyWrapAlgorithm(ECDH-ES+A192KW|N/A) registered for alg algorithm ECDH-ES+A192KW
23:14:24,244 DEBUG [org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm] (default task-1) org.jose4j.jwe.EcdhKeyAgreementWithAesKeyWrapAlgorithm$EcdhKeyAgreementWithAes256KeyWrapAlgorithm(ECDH-ES+A256KW|N/A) registered for alg algorithm ECDH-ES+A256KW
23:14:24,246 DEBUG [org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm] (default task-1) org.jose4j.jwe.Pbes2HmacShaWithAesKeyWrapAlgorithm$HmacSha256Aes128(PBES2-HS256+A128KW|n/a) registered for alg algorithm PBES2-HS256+A128KW
23:14:24,246 DEBUG [org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm] (default task-1) org.jose4j.jwe.Pbes2HmacShaWithAesKeyWrapAlgorithm$HmacSha384Aes192(PBES2-HS384+A192KW|n/a) registered for alg algorithm PBES2-HS384+A192KW
23:14:24,247 DEBUG [org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm] (default task-1) org.jose4j.jwe.Pbes2HmacShaWithAesKeyWrapAlgorithm$HmacSha512Aes256(PBES2-HS512+A256KW|n/a) registered for alg algorithm PBES2-HS512+A256KW
23:14:24,249 DEBUG [org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm] (default task-1) org.jose4j.jwe.AesGcmKeyEncryptionAlgorithm$Aes128Gcm(A128GCMKW|AES/GCM/NoPadding) registered for alg algorithm A128GCMKW
23:14:24,249 DEBUG [org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm] (default task-1) org.jose4j.jwe.AesGcmKeyEncryptionAlgorithm$Aes192Gcm(A192GCMKW|AES/GCM/NoPadding) registered for alg algorithm A192GCMKW
23:14:24,250 DEBUG [org.jose4j.jwa.AlgorithmFactory->KeyManagementAlgorithm] (default task-1) org.jose4j.jwe.AesGcmKeyEncryptionAlgorithm$Aes256Gcm(A256GCMKW|AES/GCM/NoPadding) registered for alg algorithm A256GCMKW
23:14:24,250 DEBUG [org.jose4j.jwa.AlgorithmFactoryFactory] (default task-1) JWE key management algorithms: [RSA1_5, RSA-OAEP, RSA-OAEP-256, dir, A128KW, A192KW, A256KW, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW, A128GCMKW, A192GCMKW, A256GCMKW]
23:14:24,251 DEBUG [org.jose4j.jwa.AlgorithmFactory->ContentEncryptionAlgorithm] (default task-1) org.jose4j.jwe.AesCbcHmacSha2ContentEncryptionAlgorithm$Aes128CbcHmacSha256(A128CBC-HS256|AES/CBC/PKCS5Padding) registered for enc algorithm A128CBC-HS256
23:14:24,252 DEBUG [org.jose4j.jwa.AlgorithmFactory->ContentEncryptionAlgorithm] (default task-1) org.jose4j.jwe.AesCbcHmacSha2ContentEncryptionAlgorithm$Aes192CbcHmacSha384(A192CBC-HS384|AES/CBC/PKCS5Padding) registered for enc algorithm A192CBC-HS384
23:14:24,252 DEBUG [org.jose4j.jwa.AlgorithmFactory->ContentEncryptionAlgorithm] (default task-1) org.jose4j.jwe.AesCbcHmacSha2ContentEncryptionAlgorithm$Aes256CbcHmacSha512(A256CBC-HS512|AES/CBC/PKCS5Padding) registered for enc algorithm A256CBC-HS512
23:14:24,253 DEBUG [org.jose4j.jwa.AlgorithmFactory->ContentEncryptionAlgorithm] (default task-1) org.jose4j.jwe.AesGcmContentEncryptionAlgorithm$Aes128Gcm(A128GCM|AES/GCM/NoPadding) registered for enc algorithm A128GCM
23:14:24,254 DEBUG [org.jose4j.jwa.AlgorithmFactory->ContentEncryptionAlgorithm] (default task-1) org.jose4j.jwe.AesGcmContentEncryptionAlgorithm$Aes192Gcm(A192GCM|AES/GCM/NoPadding) registered for enc algorithm A192GCM
23:14:24,254 DEBUG [org.jose4j.jwa.AlgorithmFactory->ContentEncryptionAlgorithm] (default task-1) org.jose4j.jwe.AesGcmContentEncryptionAlgorithm$Aes256Gcm(A256GCM|AES/GCM/NoPadding) registered for enc algorithm A256GCM
23:14:24,254 DEBUG [org.jose4j.jwa.AlgorithmFactoryFactory] (default task-1) JWE content encryption algorithms: [A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM, A256GCM]
23:14:24,256 DEBUG [org.jose4j.jwa.AlgorithmFactory->CompressionAlgorithm] (default task-1) org.jose4j.zip.DeflateRFC1951CompressionAlgorithm@96ec577 registered for zip algorithm DEF
23:14:24,257 DEBUG [org.jose4j.jwa.AlgorithmFactoryFactory] (default task-1) JWE compression algorithms: [DEF]
23:14:24,258 DEBUG [org.jose4j.jwa.AlgorithmFactoryFactory] (default task-1) Initialized jose4j in 55ms
23:14:24,262 INFO  [org.wildfly.security.http.oidc] (default task-1) parseAndVerifyToken: getting claims
23:14:24,262 INFO  [org.wildfly.security.http.oidc] (default task-1) parseAndVerifyToken: build jwtClaims JWT Claims Set:{rt_hash=jqNH01Se8wQ9bN1V4tToZg, iat=1656558864, iss=https://oidc.stage.elogin.company.com, at_hash=ohMab0Zx5_3-G6GdlylrEQ, sub=username, exp=1656561324, acr=urn:company:aal1, aud=MyApp_NONPROD}
23:14:24,263 INFO  [org.wildfly.security.http.oidc] (default task-1) parseAndVerifyToken: accessToken vwOFixFz18MrgoSiwjvL
23:14:24,264 ERROR [stderr] (default task-1) org.jose4j.jwt.consumer.InvalidJwtException: JWT processing failed. Additional details: [[17] Unable to process JOSE object (cause: org.jose4j.lang.JoseException: Invalid JOSE Compact Serialization. Expecting either 3 or 5 parts for JWS or JWE respectively but was 1.): vwOFixFz18MrgoSiwjvL]
23:14:24,264 ERROR [stderr] (default task-1)    at org.bitbucket.jose4j//org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:406)
23:14:24,265 ERROR [stderr] (default task-1)    at org.bitbucket.jose4j//org.jose4j.jwt.consumer.JwtConsumer.processToClaims(JwtConsumer.java:171)
23:14:24,265 ERROR [stderr] (default task-1)    at org.wildfly.security.elytron-http...@1.19.1.CR1-SNAPSHOT//org.wildfly.security.http.oidc.TokenValidator.parseAndVerifyToken(TokenValidator.java:99)
23:14:24,265 ERROR [stderr] (default task-1)    at org.wildfly.security.elytron-http...@1.19.1.CR1-SNAPSHOT//org.wildfly.security.http.oidc.OidcRequestAuthenticator.resolveCode(OidcRequestAuthenticator.java:363)
23:14:24,266 ERROR [stderr] (default task-1)    at org.wildfly.security.elytron-http...@1.19.1.CR1-SNAPSHOT//org.wildfly.security.http.oidc.OidcRequestAuthenticator.authenticate(OidcRequestAuthenticator.java:284)
23:14:24,266 ERROR [stderr] (default task-1)    at org.wildfly.security.elytron-http...@1.19.1.CR1-SNAPSHOT//org.wildfly.security.http.oidc.RequestAuthenticator.doAuthenticate(RequestAuthenticator.java:91)
23:14:24,267 ERROR [stderr] (default task-1)    at org.wildfly.security.elytron-http...@1.19.1.CR1-SNAPSHOT//org.wildfly.security.http.oidc.RequestAuthenticator.authenticate(RequestAuthenticator.java:44)
23:14:24,267 ERROR [stderr] (default task-1)    at org.wildfly.security.elytron-http...@1.19.1.CR1-SNAPSHOT//org.wildfly.security.http.oidc.OidcAuthenticationMechanism.evaluateRequest(OidcAuthenticationMechanism.java:82)
23:14:24,267 ERROR [stderr] (default task-1)    at org.wildfly.security.elytron-ba...@1.19.0.Final//org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:85)
23:14:24,268 ERROR [stderr] (default task-1)    at org.wildfly.security.elytron-ba...@1.19.0.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:325)
23:14:24,268 ERROR [stderr] (default task-1)    at org.wildfly.security.elytron-ba...@1.19.0.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$800(HttpAuthenticator.java:300)
23:14:24,269 ERROR [stderr] (default task-1)    at org.wildfly.security.elytron-ba...@1.19.0.Final//org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:94)
23:14:24,270 ERROR [stderr] (default task-1)    at org.wildfly.security.elytron-web.under...@1.10.1.Final//org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:107)
23:14:24,270 ERROR [stderr] (default task-1)    at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final//org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:115)
23:14:24,271 ERROR [stderr] (default task-1)    at io.undert...@2.2.17.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
23:14:24,271 ERROR [stderr] (default task-1)    at io.under...@2.2.17.Final//io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
23:14:24,271 ERROR [stderr] (default task-1)    at io.under...@2.2.17.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
23:14:24,272 ERROR [stderr] (default task-1)    at io.under...@2.2.17.Final//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
23:14:24,273 ERROR [stderr] (default task-1)    at io.under...@2.2.17.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
23:14:24,276 ERROR [stderr] (default task-1)    at io.undert...@2.2.17.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
23:14:24,277 ERROR [stderr] (default task-1)    at io.undert...@2.2.17.Final//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
23:14:24,278 ERROR [stderr] (default task-1)    at io.under...@2.2.17.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
23:14:24,278 ERROR [stderr] (default task-1)    at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
23:14:24,278 ERROR [stderr] (default task-1)    at io.under...@2.2.17.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
23:14:24,279 ERROR [stderr] (default task-1)    at org.wildfly.extension.unde...@26.1.1.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
23:14:24,279 ERROR [stderr] (default task-1)    at io.under...@2.2.17.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
23:14:24,280 ERROR [stderr] (default task-1)    at org.wildfly.extension.unde...@26.1.1.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
23:14:24,280 ERROR [stderr] (default task-1)    at io.undert...@2.2.17.Final//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
23:14:24,280 ERROR [stderr] (default task-1)    at io.under...@2.2.17.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
23:14:24,281 ERROR [stderr] (default task-1)    at io.undert...@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275)
23:14:24,281 ERROR [stderr] (default task-1)    at io.undert...@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79)
23:14:24,282 ERROR [stderr] (default task-1)    at io.undert...@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134)
23:14:24,282 ERROR [stderr] (default task-1)    at io.undert...@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131)
23:14:24,283 ERROR [stderr] (default task-1)    at io.undert...@2.2.17.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
23:14:24,284 ERROR [stderr] (default task-1)    at io.undert...@2.2.17.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
23:14:24,285 ERROR [stderr] (default task-1)    at org.wildfly.extension.unde...@26.1.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
23:14:24,285 ERROR [stderr] (default task-1)    at org.wildfly.extension.unde...@26.1.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
23:14:24,285 ERROR [stderr] (default task-1)    at org.wildfly.extension.unde...@26.1.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
23:14:24,286 ERROR [stderr] (default task-1)    at org.wildfly.extension.unde...@26.1.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
23:14:24,286 ERROR [stderr] (default task-1)    at io.undert...@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255)
23:14:24,286 ERROR [stderr] (default task-1)    at io.undert...@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:79)
23:14:24,287 ERROR [stderr] (default task-1)    at io.undert...@2.2.17.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100)
23:14:24,287 ERROR [stderr] (default task-1)    at io.under...@2.2.17.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
23:14:24,288 ERROR [stderr] (default task-1)    at io.under...@2.2.17.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:852)
23:14:24,288 ERROR [stderr] (default task-1)    at org.jbos...@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
23:14:24,289 ERROR [stderr] (default task-1)    at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
23:14:24,293 ERROR [stderr] (default task-1)    at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
23:14:24,293 ERROR [stderr] (default task-1)    at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
23:14:24,294 ERROR [stderr] (default task-1)    at org.jbo...@3.8.7.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)
23:14:24,294 ERROR [stderr] (default task-1)    at java.base/java.lang.Thread.run(Thread.java:834)
23:14:24,295 ERROR [stderr] (default task-1) Caused by: org.jose4j.lang.JoseException: Invalid JOSE Compact Serialization. Expecting either 3 or 5 parts for JWS or JWE respectively but was 1.
23:14:24,295 ERROR [stderr] (default task-1)    at org.bitbucket.jose4j//org.jose4j.jwx.JsonWebStructure.fromCompactSerialization(JsonWebStructure.java:90)
23:14:24,296 ERROR [stderr] (default task-1)    at org.bitbucket.jose4j//org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:320)
23:14:24,296 ERROR [stderr] (default task-1)    ... 49 more
23:14:24,297 ERROR [org.wildfly.security.http.oidc] (default task-1) ELY23013: Failed verification of token: ELY23019: Invalid ID token
23:14:55,914 DEBUG [io.undertow.request] (default I/O-14) Timing out idle connection from /127.0.0.1:62116
23:15:24,358 DEBUG [io.undertow.request] (default I/O-12) Timing out idle connection from /127.0.0.1:62115
23:18:48,520 DEBUG [org.jboss.as.repository] (ServerService Thread Pool -- 1) Current content hash references are {81a64eaaef1a43155a50d2abcd8f0e158e9cd329=[ContentReference{contentIdentifier=/deployment=DtossApp.war, hexHash=81a64eaaef1a43155a50d2abcd8f0e158e9cd329}]}

Farah Juma

unread,
Jul 6, 2022, 11:16:54 AM7/6/22
to WildFly
The current OIDC support assumes access tokens are JWTs. If the access tokens are opaque tokens, this won't work yet. ELY-2202 tracks adding support for this.

Ram Ct

unread,
Jul 8, 2022, 8:47:39 AM7/8/22
to WildFly
Thanks. After some tweaks I could get it work, the ID TOKEN now has

{
  "rt_hash": "H_lak_2roH77wirIgFDyTw",
  "given_name": "romeo",
  "email": "ro...@space.com",
  "iat": 1657281530,
  "iss": "https://oidc.stage.elogin.space.com",
  "preferred_username": "romeo",
  "at_hash": "cF986w62z84w1rq_gqWZSQ",
  "sub": "romeo",
  "family_name": "researcher",
  "exp": 1657283990,
  "acr": "urn:space:aal1",
  "aud": "MyApp_NONPROD"
}


I can access the 'sub' value from req.getPrincipal() call in the servlet. How to access other values like email, given_name, family_name in the application?

{"access_token":"BJ15WBNJE07aMfSPkO8h","refresh_token":"t52poihcPsvGnmKSPvaFXoV8OvdE9M5tv9C8YY7B","scope":"openid profile email","id_token":<above>","token_type":"bearer","expires_in":3599}

Also does the application have access to current active access_token to make user-info call? Are these values part of the http session object?

thank you
Ram

Farah Juma

unread,
Jul 8, 2022, 10:28:06 AM7/8/22
to WildFly
To access tokens directly, the OidcSecurityContext can be used. This is available as an attribute in the HttpServletRequest, e.g.,

OidcSecurityContext oidcSecurityContext = (OidcSecurityContext)req.getAttribute(OidcSecurityContext.class.getName());
IDToken idToken = oidcSecurityContext.getIDToken();
String familyName = idToken.getFamilyName();

If you need the access token itself, oidcSecurityContext.getTokenString() can be used.
Reply all
Reply to author
Forward
0 new messages